git.fsl.cs.sunysb.edu Git - wrapfs-5.3.y.git/commit

author	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
	Mon, 16 Nov 2015 17:40:48 +0000 (12:40 -0500)
committer	Sasha Levin <sasha.levin@oracle.com>
	Tue, 8 Mar 2016 02:15:06 +0000 (21:15 -0500)
commit	c801e64a896b0e6d338dbd72ea027ba21c05e702
tree	1983953a116ba9bda6b2641884869581d44c84fe	tree \| snapshot
parent	c1efb92f26f7b4ec6c3bef88b554b08858761cca	commit \| diff

xen/pciback: Save xen_pci_op commands before processing it

[ Upstream commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 ]

Double fetch vulnerabilities that happen when a variable is
fetched twice from shared memory but a security check is only
performed the first time.

The xen_pcibk_do_op function performs a switch statements on the op->cmd
value which is stored in shared memory. Interestingly this can result
in a double fetch vulnerability depending on the performed compiler
optimization.

This patch fixes it by saving the xen_pci_op command before
processing it. We also use 'barrier' to make sure that the
compiler does not perform any optimization.

This is part of XSA155.

CC: stable@vger.kernel.org
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

drivers/xen/xen-pciback/pciback.h		diff \| blob \| history
drivers/xen/xen-pciback/pciback_ops.c		diff \| blob \| history